MAN page from RedHat 7.X ethereal-0.8.20-1.i386.rpm
Section: The Ethereal Network Analyzer (1)
mergecap - Merges two capture files into one
][ -s snaplen
][ -F file format
][ -T encapsulation type
is a program that combines multiple saved capture files intoa single output file specified by the -w
knowshow to read libpcap
capture files, including those of tcpdump
. Inaddition, Mergecap
can read capture files from snoop
) and atmsnoop
(compressed oruncompressed), Microsoft Network Monitor
, Sniffer Pro
router debug output, HP-UX
, and the dumpoutput from Toshiba's ISDN
routers. There is no need to tellMergecap
what type of file you are reading; it will determine thefile type by itself. Mergecap
is also capable of reading any ofthese file formats if they are compressed using gzip. Mergecap
recognizes this directly from the file; the '.gz' extension is notrequired for this purpose.
By default, it writes the capture file in libpcap format, and writesall of the packets in both input capture files to the output file. The-F flag can be used to specify the format in which to write thecapture file; it can write the file in libpcap format (standardlibpcap format, a modified format used by some patched versions oflibpcap, the format used by Red Hat Linux 6.1, or the format used bySuSE Linux 6.3), snoop format, uncompressed Sniffer format,Microsoft Network Monitor 1.x format, and the format used byWindows-based versions of the Sniffer software.
Packets from the input files are merged in chronological order based oneach frame's timestamp, unless the -a flag is specified. Mergecapassumes that frames within a single capture file are already stored inchronological order. When the -a flag is specified, packets arecopied directly from each input file to the output file, independent ofeach frame's timestamp.
If the -s flag is used to specify a snapshot length, frames in theinput file with more captured data than the specified snapshot lengthwill have only the amount of data specified by the snapshot lengthwritten to the output file. This may be useful if the program that isto read the output file cannot handle packets larger than a certain size(for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6appear to reject Ethernet frames larger than the standard Ethernet MTU,making them incapable of handling gigabit Ethernet captures if jumboframes were used).
The output file frame encapsulation type is set to the type of the inputfiles, if all input files have the same type. If not all of the inputfiles have the same frame encapsulation type, the output file type isset to WTAP_ENCAP_PER_PACKET. Note that some capture file formats, mostnotably libpcap, do not currently support WTAP_ENCAP_PER_PACKET.This combination will cause the output file creation to fail.
If the -T flag is used to specify a frame encapsulation type, theencapsulation type of the output capture file will be forced to thespecified type, rather than being the type appropriate to theencapsulation type of the input capture files. Note that this merelyforces the encapsulation type of the output file to be the specifiedtype; the packet headers of the packets will not be translated from theencapsulation type of the input capture file to the specifiedencapsulation type (for example, it will not translate an Ethernetcapture to an FDDI capture if an Ethernet capture is read and '-Tfddi' is specified).
- Sets the output filename.
- Sets the file format of the output capture file.
- Sets the packet encapsulation type of the output capture file.
- Causes the frame timestamps to be ignored, writing all packets from thefirst input file followed by all packets from the second input file. Bydefault, when -a is not specified, the contents of the input filesare merged in chronological order based on each frame's timestamp.Note: when merging, mergecap assumes that packets within a capturefile are already in chronological order.
- Causes mergecap to print a number of messages while it's working.
- Sets the snapshot length to use when writing the data.
- Prints the version and options and exits.
is based heavily upon editcap
by Richard Sharpe<email@example.com
> and Guy Harris <guyAATTalum.mit.edu>.
Mergecap is part of the Ethereal distribution. The latest versionof Ethereal can be found at http://www.ethereal.com.
Original Author -------- ------ Scott Renfro <scottAATTrenfro.org>
- SEE ALSO
This document was created byman2html,using the manual pages.